Securing The Smartwatch

Recently Kevin Bocek, Vice President of Security for Venafi, has made several comments on how smartwatch security needs to keep up to date if it stands a chance in the current threat landscape. Here is what Kevin Bocek had to say:

“The Internet of Things (IoT) will continue to be a frequent target for
cybercriminals as its prevalence in the market increases. Security, however, appears
to be an afterthought when it comes to internet enabled devices such as
Smartwatches.

Much like our day to day mobiles, tablets and computers, anything that connects to
the internet needs to be secure in order to protect our data. SSL/TLS keys and
certificates form the foundation of trust on the Internet, and the prevalence of
vulnerabilities and attacks on these have shown us that this problem is not going
away and we must be vigilant in protecting them. The issues are only exacerbated
when extended to IoT as the number of unsecured keys and certificates propagates.
There’s too much blind trust when it comes to SSL/TLS, and attacks such as
Heartbleed and POODLE are becoming far too frequent as the bad guys take advantage
of the increase in the number of devices, applications and clouds that depend on the
trust provided by keys and certificates. Attackers mask their true identity using
keys and certificates and hide their actions by encrypting data which means you
can’t look inside for threats.
With a compromised or stolen key cybercriminals can impersonate, surveil, and
monitor your targets as well as decrypting traffic or impersonating rusted website,
code, or administrators. Recent attacks demonstrate that cybercriminals are
exploiting the vulnerabilities created from unsecured keys and certificates. Once
compromised, the attackers have free reign on the target’s networks and remain
undetected for long periods of time with trusted status and access.Bad guys will
likely look for the easy target and a device such as a Smartwatch is like waving a
red flag to a bull!

What does this mean to organizations who rely on these technologies? It provides a
sobering wakeup call that they must 1) know where all their keys and certificates
are installed; 2) have detailed information on each key (including owner, algorithm
and key lengths, among others) and 3) have recovery plans in place to replace any
key, certificate, or service that has been compromised and get it done within hours,
not days or weeks.”